f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
Size

3.6MB
MD5

4a09de0d523a1a2207005a826c1a0ea0
SHA1

69db3c2309c335c119af541f7639e2048821c507
SHA256

f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37
SHA512

7a68992abc4932530cda33143ff5372a8047bc268fda7795c1c33001f28989fdd58c75d4af364ea3eb6ccf3809540e1e15670dd0de1155893a435ed90e4fc17b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpCbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe

Executes dropped EXE 2 IoCs

pid	Process
4948	sysdevbod.exe
1428	aoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWQ\\aoptisys.exe"	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid76\\dobaloc.exe"	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe
4948	sysdevbod.exe
4948	sysdevbod.exe
1428	aoptisys.exe
1428	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4948	4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe	85
PID 4472 wrote to memory of 4948	4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe	85
PID 4472 wrote to memory of 4948	4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe	85
PID 4472 wrote to memory of 1428	4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe	87
PID 4472 wrote to memory of 1428	4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe	87
PID 4472 wrote to memory of 1428	4472	f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe	87

C:\Users\Admin\AppData\Local\Temp\f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe
"C:\Users\Admin\AppData\Local\Temp\f1f9e35c3db8e2523fe15cbb58a6a597404087771d94eab864f651d3452d0c37.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\IntelprocWQ\aoptisys.exe
  C:\IntelprocWQ\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocWQ\aoptisys.exe

Filesize
3.6MB

MD5
39f51802ad507bec999de46d48bbecb9

SHA1
3ea358c25b13f6f1145064b7b48d4fa9d88e40e6

SHA256
125fd9f0adbd621cf536a247eb1bcfe2be69ad538f59127f18dfd0f65b8b9af8

SHA512
6283ffcaeeb0e4ee763175d833f1e7513bf313ac400adfa351295a723e30e60deef2ab4d41dae950f22341aac6ef948f3a70678bd273291de5827c57b5eb284a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
309137705eb27c92e2c17f1aaef1e2ec

SHA1
bd95894a0127c7efc6b136403f266c02e26bcb19

SHA256
a74f2aa961cd69cd01def97c874231884b72f6650653582126390f17d057c664

SHA512
0f96fd9714487cddeec3784832a23adaf2a7bbe513207f8e318ab4b2dbd9feaeeec334419fe2c4f7d773a5fd21896f10c026317dccf36fc090019ecb711925a7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
84c8d6925e3a08f437cc6208a8783828

SHA1
fa40c2d2623f6e6d2da3c3c60ab0de02605ce98f

SHA256
8394e19ca790d5d8e12fc5bb9a6eeb2fc9b83d6c2b0db43634411a18db982724

SHA512
482fb2cc3afcce9b2995491aa9cdaa190f988c7d57da15f246939b4d06525a8ed29ef50eb366b2324705a5489ce823b3f1f2e2e321fc2174b0a0a440de0700c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
824361ebb0e4ba08b34da9fd8aa069a4

SHA1
e59a385a0d9f8734ffd00f9b75399bb2bdc6aaa6

SHA256
fb985fe632d52982eb2281a23514922d1e0eaeb0f69fc9a825285cf35e035438

SHA512
e35fb134a945308e628696951c44725759ef17e9c4b3e885399303d2f33aa54c04c9dee3540556dad0bd7e4689677d9e6543cbefbf4846c08677f172036997b7

Download Submit
C:\Vid76\dobaloc.exe

Filesize
10KB

MD5
1b916c50de9513bd35995ff6e69aef92

SHA1
52937fef400b241d4a8b1ddd227652b7c677d4bb

SHA256
87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0

SHA512
7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e

Download Submit
C:\Vid76\dobaloc.exe

Filesize
9KB

MD5
16a4bb0fc3d5c44be3028068af1ea1ef

SHA1
3525da0805ed7773dfef437f24482b727389e9db

SHA256
cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d

SHA512
b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b

Download Submit